Re: We need a court action
What could GWR have done in this case? Maybe monitor for multiple logon attempts from unknown users which would probably be the only real indicator that an attack was being carried out using a data base of existing user/password combinations harvested from the web. It would seem that they did pick it up using this sort of methodology but the basic issue is people reusing the same password everywhere and not being aware when their passwords may have been compromised or not changing them every where if they do become aware.
I can't see how you can legislate for that sort of educational problem